From Gaim's security issue list:
Buffer overflow. memcpy(); was used without checking the
size of the buffer before copying to it.
Additionally, a logic flaw was causing the wrong buffer to
be used as the destination for the copy under certain circumstances.
Remote crash. Gaim allocates a buffer for the payload of
each message received based on the size field in the
header of the message.
A malicious peer could specify an invalid size that exceeds
the amount of available memory.
Remote crash. After accepting a file transfer request,
Gaim will attempt to allocate a buffer of a size equal
to the entire filesize, this allocation attempt will cause
Gaim to crash if the size exceeds the amount of available memory.